Re: Anyone see anything wrong with the syntax of the query?

Ok found an example for you. www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me Sadly I cannot provide any links as proof, so I wont argue with you, but I am sure I have seen someone on this list provide some advanced sql injection examples that got through

Re: Anyone see anything wrong with the syntax of the query?

Sadly I cannot provide any links as proof, so I wont argue with you, but I am sure I have seen someone on this list provide some advanced sql injection examples that got through cfqueryparam The only way for this to be possible is to do something with the data in your SQL after

Re: Anyone see anything wrong with the syntax of the query?

Anyone who uses a url variable in a sql statement - even with cfqueryparm - is simply asking for trouble. On Thu, Mar 7, 2013 at 1:18 PM, Russ Michaels snake.li...@snakepit.netwrote: Ok found an example for you.

Re: Anyone see anything wrong with the syntax of the query?

How exactly are we asking for trouble by using URL variables within CFQUERYPARAMs? For example, a message board might link to a message topic with viewTopic.cfm?threadid=5 You can't do form posts for every call to your application, so I'm curious as to how you propose doing this. cfset myvar =

Re: Anyone see anything wrong with the syntax of the query?

At some point, you want to verify that you are passing an actual threadid (to use your example) and not a sql statement that someone has appended to the url as threadid. If you simply use the url variable you aren't doing that. If your cfqueryparm is checking for an integer you would probably

Re: Anyone see anything wrong with the syntax of the query?

Even if your cfqueryparam is looking for a string (say you're using a UUID), you're still safe because they're passed in as arguments to a mnaufactured stored procedure. Ultimately, the db ends up doing something like this: declare @p1 nvarchar(4000); select * from forums where threadid=@p1

Re: Anyone see anything wrong with the syntax of the query?

Anyone who uses a url variable in a sql statement - even with cfqueryparm - is simply asking for trouble. There is nothing inherently unsafe in doing this. The worst that can occur is an SQL error. The database will not execute the contents of the variable. Dave Watts, CTO, Fig Leaf Software

Re: Anyone see anything wrong with the syntax of the query?

I rarely use url variables, but when I do I always check to make sure it contains the type of data I am expecting it to contain. There is no difference between URL, form, cookie or (certain) CGI variables, really. They're all equally unsafe. Anything that comes from the browser is unsafe.

Re: Anyone see anything wrong with the syntax of the query?

And, in this case, having cfqueryparam helps you debug weird errors that you'd get when a field that is expected to be numeric is blank or not numeric. Ie where myField=#someval# will result in an unrecognizable syntax error if #someval# is an empty string, and the line number will be the end

Re: Anyone see anything wrong with the syntax of the query?

I used cfparam to do that before cfqueryparam existed. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Mar 6, 2013 8:37 PM, Rick Root rick.r...@gmail.com wrote: And, in this case, having cfqueryparam

Anyone see anything wrong with the syntax of the query?

cfquery name = qGetAllPropertiesAndOpenHouses datasource=#arguments.real_estate_dsn# select substring_index(p.mls_number, '_', 1) as p.mls_number, p.street_number, p.street_name, p.city, p.state, oh.mls_number, oh.date, oh.start_time, oh.end_time,

Re: Anyone see anything wrong with the syntax of the query?

Perhaps it's the contents on that variable? Try putting it into a cfqueryparam. On Tue, Mar 5, 2013 at 10:47 AM, Rick Faircloth r...@whitestonemedia.comwrote: cfquery name = qGetAllPropertiesAndOpenHouses datasource=#arguments.real_estate_dsn# select substring_index(p.mls_number,

RE: Anyone see anything wrong with the syntax of the query?

Obvious first question- what is the exact value of #arguments.listing_office_mls_id#? When debugging something that I can't figure out from the query, I put the whole things within a CFOUTPUT so I can see exactly what's being sent to the DB. -Original Message- From:

RE: Anyone see anything wrong with the syntax of the query?

Thanks for the feedback, John. I'm not sure what was wrong with that query. The line throwing the error worked when I had the queries separated, before I tried a left join. Separating them again worked after I changed this line: where substring_index(p.mls_number, '_', 1) = oh.mls_number

Re: Anyone see anything wrong with the syntax of the query?

Use cfqueryparam to rule out the value of the arguments variable causing syntax related issues. When an error tells you the line number and it is in a query, it rarely is that actual line; it just knows it is in the query somewhere. On 3/5/13 11:47 AM, Rick Faircloth r...@whitestonemedia.com

Re: Anyone see anything wrong with the syntax of the query?

Not concerned with the sql syntax as much as I am about not using cfqueryparam. Please please please take the time to convert every query you have to use that. Based on your cfarguments and db permissions for your dsn, a bad bad user might be able to delete everything from your database. Byron

RE: Anyone see anything wrong with the syntax of the query?

Thanks for the tips and feedback, everyone! Rick -Original Message- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Tuesday, March 05, 2013 2:05 PM To: cf-talk Subject: Re: Anyone see anything wrong with the syntax of the query? Not concerned with the sql syntax as much as I am

Re: Anyone see anything wrong with the syntax of the query?

Btw cfqueryparam id not actually there to protect against sql injection, rather it is for paramatising queries to create execution plans for better performance. You can validate data in various ways before using in your query to achieve the same result, such as cfparam, which will sometimes be

Re: Anyone see anything wrong with the syntax of the query?

Protecting against sql injection also requires more than simply validating datatypes, relying on cfqueryparam to do this will only protect you from the basic drive by injections that rely on numeric fields accepting strings, not advanced injections which can be done on any text field. This

Re: Anyone see anything wrong with the syntax of the query?

Sadly I cannot provide any links as proof, so I wont argue with you, but I am sure I have seen someone on this list provide some advanced sql injection examples that got through cfqueryparam On Tue, Mar 5, 2013 at 9:50 PM, Dave Watts dwa...@figleaf.com wrote: Protecting against sql

Re: Anyone see anything wrong with the syntax of the query?

Sadly I cannot provide any links as proof, so I wont argue with you, but I am sure I have seen someone on this list provide some advanced sql injection examples that got through cfqueryparam The only way for this to be possible is to do something with the data in your SQL after receiving the

Re: Anyone see anything wrong with the syntax of the query?

I'd have to agree with Dave. The only time I've seen an issue (with cfqueryparam) was with something like a sql string generated based on say a search form and then that being passed to a stored procedure that executes the statement in the procedure. Not to say it's impossible, for there are